Skip main navigation

What to Do If You Are Infected with Cryptoware

In this video, you will learn what Cryptoware is and what to do if your machine or device is infected with it.
In this video, we’re talking about what to do if you’re infected with cryptoware, also known as ransomware. So the worst has happened. A user opened an infected file, and now you have this scary face on your computer saying that your file has been encrypted and they’re going to start deleting the files if you don’t pay $150 in bitcoins. So what do you do? First off, try not to panic. I know it’s a really tough situation. It is really scary. But you need to be able to keep a clear head about what’s going on in order to get through this. So again, take a moment. Take a deep breath. Try not to panic. We’ll get through this.
Next up, paying the ransom gives you no guarantee that your files will be recovered. The fact that someone went to the trouble of infecting your computer, encrypting your files, they have no obligation to actually unlock it once you pay them that ransom. So do keep that in mind. I’m not saying that 100% you’re not going to get your files unlocked, but again, it’s been both cases when people pay ransoms. One, they actually got the keys. They got lucky. Two, they paid the ransom and nothing ever happened. If nothing else, paying the ransom, people get the idea that it’s a working system, and they’ll continue to do it.
And there’s no reason why they wouldn’t go back and reinfect your network again, because you did pay a ransom once. So again, it’s not recommended paying the ransom. So what can we do once our network is infected? Well first, disconnect from the network. The computer that got infected– unplug the patch cable, turn off the Wi-Fi, help prevent the computer from spreading the virus across a network. Alert your IT department. If you’re not part of the IT group make sure that you inform the IT department what’s going on.
If you are part of the IT group, you want to make sure that you let everyone else know, let your management know, and possibly let other managers know so they can make preparations, and also kind of let people know what’s going on and try to reduce the amount of panic. Try to identify the infection. So what you want to do is try to identify the file that actually caused the problem– the one that actually had the ransomware on it. The key is, that file may have the recovery key on there. And if you delete it, you destroy the file.
Which I have seen in cases where a network did get infected by a ransomware and someone panicked and they file-shredded it. So we weren’t able to use that file to try to recover the network again, which made it a little bit tougher. Now, there are a number of decryption tools out there online. MajorGeeks has quite a bit of repository for a lot of different ransomware decryption keys, which maybe will help you out. There’s also sites like RansomFree that you could potentially take the infected file, load it on the site, and they’ll try to go through and see if they have a decryption key for you. This is all free software and free services.
If that doesn’t work, you may need to rely on backups. Hopefully, you had good backups. Now when I say good backups, you should have one online and one off the network. Because again, if you have a ransomware attack, most likely, if it’s a good one, it’s going to move across your network, including your backup servers. That’s why you need to have one that’s offline. If you’re lucky, it didn’t hit your online backup servers. Or if you had a offline one, you may need to be able to recover those files, recover that network, from your backups. And also, you may need to look at outside vendors.
If your data is so important you still need someone to take a look at, you can always look at outside vendors that might be able to recover your files. But be warned, these services are typically not cheap, because these are particularly bad attacks. So prevention-wise, keep your computers and servers up to date. Having the latest patches on your computers is going to go a long way in preventing ransomware attacks. Have a good policy on unknown links, files, and media. Make sure that your users are trained on this. That’s also going to lower the number of attacks that get through to your system. Have your antivirus up to date and running.
Have a good backup of important data and services, both online and offline. Basically, you want to have multiple backups. Periodically test your backups and your backup solutions. Make sure that they’re working, and everyone knows how it needs to be restored. That way if worse comes to worse, you’re able to restore your files quickly and efficiently. Also, you want to try to train your users on what to do in the event of a ransomware attack. This is also going to help. Just having them know that they shouldn’t click on unknown links, or open these weird files, or plug a rogue USB device in network.
That’s good, but having your users know what to do in a ransomware attack, it’s going to go a long way too. Those things go kind of hand-in-hand. Also, there’s tools like RanSim. RanSim is from a company called KnowBe4. Now, RanSim is a pretty interesting program. It actually runs simulated ransomware attacks against your computer. So you could actually use this as a baseline to kind of check your computer images, and kind of find out where the weak points are where a ransomware attack maybe will get through. The other programme you might want to look at is Acronis Ransomware Protection. It’s another free program where it’ll actually try to prevent ransomware.
So a lot of these programmes will actually go out and kind of put dummy files out, or look for some kind of signatures from ransomware attacks. And this kind of runs hand-in-hand with the antivirus, so the two won’t kind of step on each other. So these are kind of good ways to go, and to try to prevent further attacks.

In this video, you will learn what Cryptoware is and what to do if your machine or device is infected with it.

Here is a summary of the steps you should follow:

  1. Disconnect from your network
  2. Alert IT
  3. Try to identify the infection
  4. Use a decryption tool
  5. Backup your data
  6. Contact an outside vendor

Reflect and share: Do you have other tips to share on how to prevent or respond to Cryptoware?

This article is from the free online

Cyber Security Foundations: Why Cyber Security is Important

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education